1. Field of the Invention
The present invention relates to a method and a system for providing a terminal security checking service, and more particularly to the method and the system for providing the terminal security checking service, which are capable of achieving higher-level security and flexibility even while the system is shared among users and of increasing flexibility of the system.
The present application claims priority of Japanese Patent Application No. 2005-203562 filed on Jul. 12, 2005, which is hereby incorporated by reference.
2. Description of the Related Art
In recent years, the Internet has come into widespread use and enterprise networks are being constructed on the Internet, while Internet viruses make entries into terminal devices (hereinafter simply a “terminal”) for the enterprise networks and worm viruses cause a shutdown of such the enterprise networks, which has a significant effect on enterprise activities. To avoid such events, software that can make a check of entries of worm viruses or a security patch to be applied for a fix to security holes in an OS (Operating System) of a terminal and in application software, or a like are widely installed, however, daily thorough checking by using such security described above is becoming more difficult.
As a conventional security measure, a PC (Personal Computer) quarantine system is used which makes a security check when a terminal is connected to an enterprise network and provides, after completion of the security check of the terminal, information to be used as security measures (information about security protection) that can cover a weakness/a unreliability of a security measure already taken for the terminal, for example, a security patch. The conventional PC quarantine system is roughly classified under two types, one being a first-type system configured to have a server to provide terminal security checking service and a client software and the other being a second-type system configured to have a server to provide terminal security checking service and a clientless module. In the above first-type system, dedicated client software is installed on a terminal. In the above second-type system, no dedicated client software is installed on a terminal.
FIG. 10 is a diagram showing configurations of an example of the above conventional first-type PC quarantine system. The first-type PC quarantine system chiefly includes a terminal 100 installing security checking client software 111, a security checking server 200, and a network connection managing system 300. These components are connected to a network 400 constructed within a same corporate organization.
In the first-type PC quarantine system, when the terminal 100 is connected to the network 400, the security checking client software 111 collects information about an OS of the terminal 100, information about a version of virus checking software, or a like and transmits the information to the security checking server 200. The security checking server 200 checks, according to preset contents to be used for checking, whether or not a specified security patch is applied. Then, results from the security checking are transferred from the security checking server 200 to the network connection managing system 300. If the result from the security checking is OK, the terminal 100 is connected to the network 400 in an enterprise to perform ordinary processing tasks. However, if the result from the security checking is NG (not good), or shows an error, the terminal 100 is guided so as to be connected to a network in which only a security measure such as application of a security patch corresponding to the NG/error result from the security checking can be taken.
Moreover, one example of the second-type PC quarantine system is disclosed in Patent Reference 1 (Japanese Patent Application Laid-open No. 2003-303114). The security protecting system disclosed as the second-type PC quarantine system chiefly includes a USB (Universal Serial Bus) key, a PC, and a Web server. To receive security checking service by using the disclosed security protecting system, a user inserts the USB key into a USB port of a PC. States of an OS installed in the PC are checked by a program to receive security checking service stored in the USB key. Then, the PC accesses a Web server to which information about the states of the installed OS is transferred as results from the security checking.
The Web server stores, in advance, information to be used as a security measure, for example, a security patch. The Web server, when receiving the information about states of the OS from the PC, judges whether or not the OS installed in the PC is in the newest security state. If the information to be used as the security measure against the states of the OS installed in the PC, for example, the security patch stored in the Web server is not yet applied to the OS installed in the PC (that is, the OS is not yet in the newest security state), a guidance for application of the security patch is displayed on the Web. The user applies the security patch according to the guidance displayed on the Web.
In addition, the Patent Reference 1 also describes that the Web server judges whether the information about the OS to be received by the Web server coincides (or does not coincide) with information about the OS installed on a user's PC being managed by the Web server and, if no coincidence occurs between the information, the information about the OS installed on the user's PC being managed by the Web server is replaced with new information about the OS received by the Web server. Then, a safe set file corresponding to the updated information about the OS for which security measures have been taken is downloaded into the user's PC which ensures the security of the PC.
In the conventional first-type terminal security checking service providing system described above, installation of the dedicated client software is a technological requirement. As a result, in a situation where an access point of the Internet provided by various providers outside a specified organization, for example, in public places is to be used, to provide the security checking service causes a hitch easily. For example, in the case where a system to be used varies from one organization or one provider to another, if tasks that extend over more than one organization are to be performed or a plurality of providers is to be accessed, it is made necessary to install dedicated client software that can correspond to each system.
Moreover, in the case when operations are performed at a cooperative partner, installation of licensed client software must be performed after acquiring a license for a dedicated client software of a system introduced by the cooperative partner and, therefore, a difficult problem of who bears the license fee arises. Another problem is that, since the installation of dedicated client software takes much time and efforts and thorough uninstalling of the dedicated client software after the termination of the cooperative tasks is difficult, it is necessary that a new terminal for cooperative tasks is additionally prepared, which is costly.
In the conventional second-type terminal security checking providing system described above, there arises no technological problem caused by the installation of dedicated client software on a terminal. However, there is a limit to what can be checked by the security checking providing system, that is, the second-type terminal security checking providing system is not yet in a stage where service of providing a security patch or a like is made to be concrete and, therefore, a technological problem of insufficient provision of security measures needed by a terminal remains unsolved.
These technological problems can be solved to some extent by the security protecting system disclosed in the Patent Reference 1 in which the technology provided by the security protecting system is effective as the security measure, however, the security protecting system is lacking in the means that can update information to be used as security measures and in the technology that can make the security measure means shareable among users.
In addition to the above, in the security protecting system disclosed in the Patent Reference 1, both its security checking service providing section and its network connection processing section to be driven according to security check results operate in a direct ganged manner, that is, there is a strong dependent relationship in the connection between the security checking service providing section and network connection processing section and, therefore, the security protecting system is lacking in the technological unit to achieve the system operation in close liaison with the security checking service providing section and with other network managing sections and maintenance of such the network connection managing section is a burden to users.